Apple has released new security patches for its macOS and iOS devices, managing to be both the first and the last of the major OS vendors to fix the serious Meltdown vulnerability.
When the Meltdown and Spectre CPU vulnerabilities were first revealed earlier this month, people were surprised to learn that Apple had already included mitigation for Meltdown, the most serious of the flaws, in macOS 10.13.2, iOS 11.2 and tvOS 11.2, which were released in early December.
The company then followed that up with Spectre mitigations for Safari and WebKit in macOS High Sierra 10.13.2 Supplemental Update, released Jan. 8. However, systems running older versions of macOS, including Sierra (10.12) and El Capitan (10.11), remained vulnerable to all of the flaws.
That changed Jan. 23 with the release of Security Update 2018-001 for Sierra and Security Update 2018-001 for El Capitan, which include fixes for Meltdown (CVE-2017-5754). This is two weeks after Microsoft released Meltdown patches for all supported Windows versions and after the KPTI mitigation was backported to long-term supported versions of the Linux kernel.
Meltdown is a serious vulnerability that could allow a malicious user-space application to read sensitive information like encryption keys, passwords and other secrets from the kernel’s memory. Fixing it required significant changes to how operating systems manage and isolate kernel memory from user processes.
Apple also released a new security update for macOS High Sierra, 10.13.3, fixing additional kernel vulnerabilities that could allow applications to read restricted memory (CVE-2018-4090, CVE-2018-4092 and CVE-2018-4093). Two of them were reported by Jann Horn of Google Project Zero, one of the researchers who found the Meltdown and Spectre flaws.
The update also contains patches for three privilege escalation flaws that could allow applications to execute code with kernel privileges; three arbitrary code execution vulnerabilities in the audio, QuartzCore and WebKit components; a sandbox bypass issue; a problem with certificates validation and a restricted memory access flaw in the Wi-Fi subsystem.
In addition to the macOS patches, Apple also released iOS 11.2.5, tvOS 11.2.5, watchOS 4.2.2, Safari 11.0.3, iCloud for Windows 7.3 and iTunes 12.7.3 for Windows.
New Peer-to-Peer Botnet Targets IoT Devices
Researchers from antivirus firm Bitdefender have discovered a new botnet that targets IP cameras and other internet of things (IoT) devices. The botnet has been dubbed Hide ‘N Seek (HNS) and has already infected 20,000 devices over the past few days.
What’s interesting about this botnet is that it uses a decentralized infrastructure and worm-like behavior, wherein one compromised device scans for and infects others. Attackers also can instruct the peers to relay commands to each other, an architecture that offers better resistance to takedown attempts than botnets that rely on centralized command-and-control servers.
“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” Bitdefender researcher Bogdan Botezatu, in a blog post. “However, if in the case of Hajime, the p2p functionality was based on the BitTorrent protocol, here we have a custom-built p2p communication mechanism.”
HNS spreads by brute-forcing login credentials on multiple protocols including Telnet and HTTP, but also uses known exploits. The malicious payload stores its configuration data in memory and uses elliptic curve digital signatures so that other attackers or researchers cannot modify it and potentially hijack the botnet.
The botnet has commands that allow attackers to perform data exfiltration, code execution and to interfere with a device’s operation.
“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft—potentially suitable for espionage or extortion,” Botezatu said.